Plain English security writing for small business owners and the people who look after them. No jargon, no hype, no filler. The same lens we use to scan and prioritise, translated for owners and operators.
Let's Encrypt has been free since 2016. There is no excuse for an HTTPS failure in 2026, and yet the TLS findings I still write on small business scans are the same three things every time.
Read →The cleanest web attack you can run takes about fifteen minutes, requires zero skill, and uses your own DNS against you. Here is why it keeps happening to otherwise careful businesses, and how I find them during scope calls.
Read →The securityheaders.com public API is shutting down (Snyk announced April 2026). Plain-English walkthrough of the free AttackEdge alternative and a ready-made embed swap.
Read →A small-business owner is rarely the person who fixes security findings. The web developer or MSP is. Here is how to hand a report over so it gets fixed, not parked.
Read →A passive measurement of email-authentication, TLS, and HTTP security-header adoption across 30 publicly-registered .com.au domains. Headline: 21 of 30 have no DMARC record published.
Read →The OAIC's current position on the small business exemption, the categories of small business already covered, what 'reasonable steps' looks like under APP 11, and where dated external monitoring evidence fits regardless of whether the Privacy Act applies to your business.
Read →Most of the browser-side attacks against small business sites are stopped by five lines of server config. Here is what each one does, which ones I still see missing in 2026, and the one that most people turn on wrong.
Read →The FBI tracks billions of dollars a year lost to attackers who email your customers pretending to be you, and the ACCC logs tens of millions more from Australian businesses. The DNS records that bounce the forged mail take four hours to set up, cost nothing, and most businesses still don't have them.
Read →The short, opinionated checklist I actually run on a small business website before I bill them for anything bigger. Not a best-practices listicle. The things I've found broken on sites with real revenue, in order.
Read →What ASM actually is when you strip the gartner quadrant off it, why I think small businesses need it more than the enterprise ones that buy it, and how to start without hiring anyone.
Read →